cookbook 'secret', '~> 1.0.0'
secret (1) Versions 1.0.0 Follow0
Managing secrets in Chef recipes
cookbook 'secret', '~> 1.0.0', :supermarket
knife supermarket install secret
knife supermarket download secret
secret cookbook
Managing secrets in Chef recipes.
Usage
secret = ::ChefCookbook::Secret::Helper.new(node) secret.get('postgres:password:root') # supersecretpassword
Approach
If you use Chef encrypted data bags for storing secrets (passwords, API keys etc.), you might have written some code like this below:
secret_val = data_bag_item(DATA_BAG_NAME, DATA_BAG_ITEM_NAME)[SUBKEY_1][SUBKEY_2][SUBKEY_3]
Assuming you have several servers (Chef nodes) and various environments (development, staging, production), the scheme below is good enough for managing secrets for all assets in one repository:
-
DATA_BAG_NAMEstands for a category. E.g.postgresfor stroring all PostgreSQL server user passwords. -
DATA_BAG_ITEM_NAMEstands for an environment. E.g.staging. -
SUBKEY_1(in fact, all top-level keys within JSON associated with a particular data bag item) stands for server (Chef node) FQDN.
With that in mind, the postgres::staging data bag item JSON will contain the following data:
{
"id": "staging",
"db1.example.com": {
"password": {
"root": "reallystrongpassword1"
}
},
"db2.example.com": {
"password": {
"reallystrongpassword2"
}
}
}
In order to obtain the necessary password while provisioning server db1.example.com, you can write in your recipe:
postgres_pwd = data_bag_item('postgres', node.chef_environment)[node['automatic']['fqdn']]['password']['root']
secret cookbook will make the difference:
secret = ::ChefCookbook::Secret::Helper.new(node) # initialize once in a recipe postgres_pwd = secret.get('postgres:password:root')
You only need to pass DATA_BAG_NAME and subkeys, excluding environment and FQDN values (they are detected automatically).
Advanced usage
secret_val = secret.get(query, options)
where query is a string and options is a Ruby Hash.
default option
secret.get will return a default value in case there is no one defined in a data bag item.
required option
Whether a value must be defined in a data bag item or by a default option. By default is true. A provision process will fail if a required value is not defined in a data bag item and there is no default value.
item option
Overrides DATA_BAG_ITEM_NAME. By default it equals node.chef_environment.
prefix_fqdn option
Whether or not prepend server (Chef node) FQDN to the query. By default is true. When the value is false, your data bag item JSON should look like this:
{
"id": "staging",
"password": {
"root": "reallystrongpassword1"
}
}
This may be suitable for environments with a single node or several nodes with shared secrets.
Not only can this option be customised in a server.get call, but it may also be changed globally with node['secret']['prefix_fqdn'] attribute (true by default).
Examples
val1 = secret.get('postgres:password:user', default: nil) val2 = secret.get('aws:s3:access_key', prefix_fqdn: false)
License
MIT @ Alexander Pyatkin
Collaborator Number Metric
1.0.0 failed this metric
Failure: Cookbook has 0 collaborators. A cookbook must have at least 2 collaborators to pass this metric.
Contributing File Metric
1.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file
Foodcritic Metric
1.0.0 passed this metric
No Binaries Metric
1.0.0 passed this metric
Testing File Metric
1.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
1.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number
1.0.0 failed this metric
1.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file
Foodcritic Metric
1.0.0 passed this metric
No Binaries Metric
1.0.0 passed this metric
Testing File Metric
1.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
1.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number
1.0.0 passed this metric
1.0.0 passed this metric
Testing File Metric
1.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
1.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number
1.0.0 failed this metric
1.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number
